Users are following malicious instructions to paste javascript: or data: URIs into address bar




8 years ago
8 years ago


(Reporter: costan, Unassigned)


Firefox Tracking Flags

(Not tracked)




8 years ago
User-Agent:       Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/534.30 (KHTML, like Gecko) Chrome/12.0.742.16 Safari/534.30
Build Identifier: 

When a URL using the javascript: pseudo-protocol is entered in the location bar, Firefox runs the script in the context of the current page. 

This behavior has been used for many spam attacks on Gmail and Facebook, and is not really useful for regular users. Therefore, please consider disabling the behavior by default, and adding a command-line flag so that developers can get it back.

Bookmarks have a similar issue, but there are legitimate javascript: bookmarklets, so that should be addressed in a separate bug.

Reproducible: Always

Steps to Reproduce:
Go to a Web site, and type javascript:alert("ohnoes"); in the omnibar, and press enter.

Actual Results:  
Modal dialog shows up.

Expected Results:  
javascript: link is silently ignored

This vulnerability is the root cause of a lot of recent spam, and should be addressed as quickly as possible, in a security update.

Comment 1

8 years ago
The specific case mentioned would be fixed by bug 598246
The case of bookmarklets is covered by bug 249453
This still leaves legitimate uses sites have of javascript: in <a href> links and form actions when no interaction with the server is needed.
Since this isn't requested as optional to turn off or back on by users, marking as invalid given the above.
Last Resolved: 8 years ago
Resolution: --- → INVALID

Comment 2

8 years ago
For being optional see bug 371923 and bug 476505

Comment 3

8 years ago
I'm sorry for picking a bad example. I'm not really worried about alerts, I just used that example because alert() is the easiest JavaScript that I can think of. I'm worried about scripts that extract information from the page, such as the user's cookies, and about scripts that automatically perform actions on a page, such as sending a Facebook / Gmail message with a spammy URL to a user's entire friend list / address book. 

I think that any use of javascript: in the address bar should be disabled, because normal users don't randomly start typing Javascript in their address bar. It's not even that useful for debugging, now that we have the Web Console and Firebug.

Does this make more sense than before? Again, I apologize for picking a bad example.
Resolution: INVALID → ---

Comment 4

8 years ago
About related bugs: bug 476505 seems to be worried about javascript: bookmarklets opened in chrome pages, and bug 371923 is also worried about bookmarks. bug 598246 seems to tackle sites that pop up multiple alert() windows.

This addresses a different vulnerability, and I think it deserves quick resolution, given the increased rate of Facebook and Gmail spam exploiting the issue. Bookmarking is harder than copy-pasting in the address bar, so fixing this issue will force spammers to come up with more complicated instructions, and should reduce the number of users who are willing to carry out the instructions.

Thank you!

Comment 5

8 years ago
Sorry, I didn't realise the steps to reproduce include "carrying out instructions" to paste a javascript: URI into the address bar. In that case the same instructions could use a data: URI just as easily.
Severity: major → normal
Summary: Disable the javascript: pseudo-protocol for the address bar → Users are following malicious instructions to paste javascript: or data: URIs into address bar

Comment 6

8 years ago
That's a great point! I didn't think of data: URIs. Thank you!
It sounds like bug 305692 would address this.
Last Resolved: 8 years ago8 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 305692


8 years ago
Duplicate of bug: 527530
You need to log in before you can comment on or make changes to this bug.